User Tools

Site Tools


Remove SSL Key Passphrase (.p12)

By default, ssl certificates are created using a password. For example, OpenVPN keys (.p12 files) always have a passphrase in them.

However, when automating connections, such as ensuring an OpenVPN connection is created on boot, requires the private key passphrase to be removed.

I got tired of the almost 10 commands to do this, so I wrote the following Perl script. If you don't want to run a Perl script, simply copy/paste the commands (it is just a list of commands to run).

This should be executed as: /full/path/to/key.p12 'passphrase'

The original encrypted key will be stoed as, then the key will be removed. It will ask for a passphrase two times, and just pressing Enter will give it a blank passphrase.

NOTE: if you enter a passphrase, it will simply encrypt it with the new one.
#! /usr/bin/perl -w
use Cwd 'abs_path';
my $keyfile = shift;
my $passphrase = shift;
$keyfile = abs_path( $keyfile );
die "the first parameter should be the full path to your p12 file" unless -e $keyfile;
die "the second parameter should be the password to your p12 file" unless $passphrase;
sub runCommand {
   my $command = shift;
  if ($? == -1) {
      die "$command\nfailed to execute: $!\n";
  elsif ($? & 127) {
      die sprintf( "$command\n died with signal %d, %s coredump\n",
          ($? & 127),  ($? & 128) ? 'with' : 'without' );
  else {
     die sprintf( "$command\n exited with value %d\n", $? >> 8) if $? >> 8;
chdir '/tmp';
&runCommand( "cp '$keyfile' '$'" );
&runCommand( "openssl pkcs12 -clcerts -nokeys -in '$keyfile' -out certificate.crt -password pass:'$passphrase' -passin pas:'$passphrase'" );
&runCommand( "openssl pkcs12 -cacerts -nokeys -in '$keyfile' -out -password pass:'$passphrase' -passin pass:'$passphrase'" );
&runCommand( "openssl pkcs12 -nocerts -in '$keyfile' -out private.key -password pass:'$passphrase' -passin pass:'$passphrase' -passout pass:joe" );
&runCommand( "openssl rsa -in private.key -out 'NewKeyFile.key' -passin pass:joe" );
&runCommand( "cat 'NewKeyFile.key' > PEM.pem" );
&runCommand( "cat 'certificate.crt' >> PEM.pem" );
&runCommand( "cat '' >> PEM.pem" );
&runCommand( "openssl pkcs12 -export -nodes -CAfile -in PEM.pem -out '$keyfile'" );
other/encryption/ssl_key_passphrase.txt · Last modified: 2016/12/09 23:39 by